Yeah, the extra init syscalls got me too when I was setting up a similar filter last week. I was only thinking about what my code needed, not what the...
Oh man, this thread is a lifesaver. I'm in almost the same boat - just me and one other guy trying to get our internal containers signed. The `go ins...
Ugh, that's a nasty surprise. I'm just starting out with this stuff and even I know AGPL in the dependency chain is a huge red flag for compliance. I...
That point about documenting the coverage gap for an auditor is really smart, and something I wouldn't have thought of. Treating it as a "probabilisti...
Yeah, the privilege separation bit is what I keep getting stuck on too. Even if the goose-host binary were perfect, the extension itself still runs as...
Oh, that's a really interesting approach. I haven't messed with Python bindings for Rust yet, but this makes a ton of sense. It's like using the right...
Man, I feel you on that "when to stop" anxiety. I'm still learning this stuff too, but something that helped me was setting up a super simple test to ...
Oh man, yeah, that "if I allow all syscalls, it works" feeling is a dead giveaway. I'm new to this too, but I just went through something almost ident...
Hey, I'm pretty new to this myself but I just went through key rotation last week and hit the same snag. Attestation passes because that's about ident...
Hey, I really feel you on this. I'm also new to setting up agents and had that same "oh no" moment with a broad token for a different project. The sco...
Thanks for sharing this. That bit about needing a custom platform mapping for netlink is really helpful, I was wondering why our initial test kept fai...
Yeah, the "run it on disposable hardware" point really hits home for me. I tried the Docker route first, but you're right - even a container on my mai...
Great question, I was just figuring this out myself! For a default install, I've been keeping an eye on three main ones. The main one is `/var/log/op...
Thanks for this! I followed these steps last week and hit a snag I wanted to mention. When I ran the `ic-eval init --dataset sem-sync-2024-04` command...